[dns-operations] correction about RRL leakage

glen wiley glen.wiley at gmail.com
Wed Sep 26 17:55:20 UTC 2012


This seems like a degenerate case to me...there is a threshold below which
attacks
are no longer meaningful.  For most name servers I suspect that an attack
is only
interesting at some rate well above 10's of qps.

As a name server operator not only am I not likely to see anything odd in
an attack
like that, I really don't have the time or inclination to care about
volumes in that
range.

On Wed, Sep 26, 2012 at 1:45 PM, Vernon Schryver <vjs at rhyolite.com> wrote:

> On Monday I wrote:
>
> > I think the complaint is that DNS RRL with "slip 0" and the recommended
> > "responses-per-second 10" could send 10 DNS response/second to the
> > victim.
>
> That is not right because it is an unlikely worst case.  It is true
> that a reflection DoS attack of "responses-per-second" identical queries
> per second for a long time would not be filtered by DNS RRL.  However,
> as this section from the documentation tries to say, excess responses
> during one second suppress responses for subsequent "window" seconds:
>
> ]    Rate limiting uses a "credit" or "token bucket" scheme. Each
> ]    identical response has a conceptual account that is given
> ]    responses-per-second, errors-per-second, and nxdomains-per-second
> ]    credits every second. A DNS request triggering some desired
> ]    response debits the account by one. Responses are not sent
> ]    while the account is negative. The account cannot become more
> ]    positive than the per-second limit or more negative than window
> ]    times the per-second limit. A DNS client that sends requests
> ]    that are not answered can penalized for up to window seconds
> ]    (default 15).
>
> For example, given "slip 0; responses-per-second 10;" and an attack
> of at least 20 forged requests/second, DNS RRL will allow a total 10
> responses for the entire duration of the attack.  Those 10 responses
> will be for the first 10 requests.  The later requests will not be
> answered.
>
> Of course, an attacker could send 10 or fewer requests/second and have
> all of them answered.  That kind of attack is hard to handle because
> it can be undetectable by the reflecting DNS server.  For an extreme
> example, an attacker with a list of 1,000,000 open resolvers could
> send each open resolver one forged request every 10 seconds for
> <random>.isc.org and send the victim about 0.5 Gbit/sec.  None of the
> reflectors is likely to see anything odd about one stray NXDOMAIN every
> 10 seconds.
>
>
> Vernon Schryver    vjs at rhyolite.com
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
>



-- 
Glen Wiley

"A designer knows he has achieved perfection not when there is nothing left
to add, but when there is nothing left to take away." - Antoine de
Saint-Exupery
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20120926/1f1b6e5b/attachment.html>


More information about the dns-operations mailing list